You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2012/06/10 21:50:25 UTC
svn commit: r1348653 - in /httpd/httpd/trunk:
docs/conf/extra/httpd-ssl.conf.in modules/ssl/ssl_engine_init.c
modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Author: sf
Date: Sun Jun 10 19:50:25 2012
New Revision: 1348653
URL: http://svn.apache.org/viewvc?rev=1348653&view=rev
Log:
Add some improvements as suggested by Kaspar
- expand comment in config file
- check username == NULL
- detect SRP support via SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, not via openssl
version
- rename rv variable
Modified:
httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1348653&r1=1348652&r2=1348653&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Sun Jun 10 19:50:25 2012
@@ -159,8 +159,10 @@ SSLCertificateKeyFile "@exp_sysconfdir@/
# TLS-SRP mutual authentication:
# Enable TLS-SRP and set the path to the OpenSSL SRP verifier
-# file (containing login information for SRP user accounts). See
-# the mod_ssl FAQ for instructions on creating this file.
+# file (containing login information for SRP user accounts).
+# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
+# detailed instructions on creating this file. Example:
+# "openssl srp -srpvfile @exp_sysconfdir@/passwd.srpv -add username"
#SSLSRPVerifierFile "@exp_sysconfdir@/passwd.srpv"
# Access Control:
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1348653&r1=1348652&r2=1348653&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sun Jun 10 19:50:25 2012
@@ -532,7 +532,7 @@ static void ssl_init_ctx_tls_extensions(
* TLS-SRP support
*/
if (mctx->srp_vfile != NULL) {
- int rv;
+ int err;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02308)
"Using SRP verifier file [%s]", mctx->srp_vfile);
@@ -545,10 +545,10 @@ static void ssl_init_ctx_tls_extensions(
ssl_die();
}
- rv = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
- if (rv != SRP_NO_ERROR) {
+ err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
+ if (err != SRP_NO_ERROR) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02310)
- "Unable to load SRP verifier file [error %d]", rv);
+ "Unable to load SRP verifier file [error %d]", err);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
ssl_die();
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1348653&r1=1348652&r2=1348653&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sun Jun 10 19:50:25 2012
@@ -2254,7 +2254,8 @@ int ssl_callback_SRPServerParams(SSL *ss
char *username = SSL_get_srp_username(ssl);
SRP_user_pwd *u;
- if ((u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
+ if (username == NULL
+ || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
*ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
return SSL3_AL_FATAL;
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1348653&r1=1348652&r2=1348653&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Jun 10 19:50:25 2012
@@ -186,10 +186,12 @@
#endif
/* SRP support came in OpenSSL 1.0.1 */
-#if (OPENSSL_VERSION_NUMBER < 0x10001000)
-#define OPENSSL_NO_SRP
-#else
+#ifndef OPENSSL_NO_SRP
+#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
#include <openssl/srp.h>
+#else
+#define OPENSSL_NO_SRP
+#endif
#endif
/* mod_ssl headers */